Digital Deception: Navigating the maze of social engineering frauds in the age of instant transactions

By Lakshay Narang

In recent times, fraudulent messages have become alarmingly prevalent, victimising unsuspecting customers who fall prey to their deceptive tactics. A prime example of this disturbing trend involves a woman from Gurugram who, upon receiving an SMS about the immediate closure of her bank account, purportedly from her bank, followed the instructions provided in the SMS to prevent the closure. Tragically, she became a victim of fraud, losing a substantial sum of Rs 1 lakh with little hope of recovering her money.

These fraudulent messages have proliferated during the pandemic, where fraudsters induce panic or excitement that impairs the customers’ ability to think clearly. By fabricating emergencies and appealing to basic emotions, fraudsters manipulate customers into either chasing false rewards or avoiding potential losses. Consequently, customers lower their guard and unknowingly disclose sensitive information to fraudsters. Such fraudulent tactics are known as social engineering fraud.

Recognising the surge in digital transactions, the Reserve Bank of India (RBI) rolled out the limited liability framework in 2017. This framework ensures compensation for customers who lose money in unauthorised transactions. While it’s a significant step in customer protection, it doesn’t cover unintentional yet authorised transactions. The increase in instant digital transactions, especially via the Unified Payments Interface (UPI), has led to a rise in such unintended transactions.

For example, a woman in Gurugram was misled by an SMS into believing her bank account was on the verge of closure. Following the message’s instructions, she entered her details and authorised the transaction, unaware she was being scammed. Typically, UPI transactions are considered authorised since customers input their PINs. But in social engineering scams, customers think they are transferring money to one person when it’s actually going to someone else. These scams result in authorised but unintentional transactions, which the RBI’s limited liability framework doesn’t currently address. 

To bridge this gap, the RBI, and the National Payments Corporation of India (NPCI) initiated customer awareness programmes. These programmes aim to educate customers about various fraud schemes and fraudsters. Such programmes assume that increased awareness about fraudsters and their modus operandi among customers will prevent customers from falling prey to fraud. However, the desired impact of such programmes may not be as easy to achieve.

For instance, evidence shows that customers are sufficiently aware of the importance of not sharing OTPs and PINs with unknown individuals. However, despite high awareness, the number of fraud cases has been rising. This indicates that aware customers are still engaging with fraudulent messages and/or calls. This contradiction highlights two crucial learnings: first, the assumption that heightened awareness alone is insufficient in reducing fraud, and second, the fraudsters skillfully exploit customers’ inherent mental biases by inducing a ‘hot-state’ – an emotionally charged state in which customers’ ability to think clearly is impaired.

Also read: Banks’ digital payments frauds nearly double in FY23

A deeper analysis of this contradiction shows that various behavioural biases, including innate personality traits (high appetite for risk, loss aversion etc.), motivations (expecting financial gain or loss), comfort with digital financial services (lack of knowledge about UPI), and cognitive biases (impulsiveness), influence an individual’s likelihood of engaging with fraudulent messages. These biases reinforce each other, undermining the impact of awareness campaigns on customer behaviour. 

Campaigns that only address the information gap by generating awareness tend to overlook these biases. In order to bring about behavioural change among customers, the campaigns must

(i) provide the customers with relevant information,

(ii) make customers aware of and appeal to their emotions. It seems that the current campaigns have successfully used popular celebrities to connect with customers on an emotional level, but in the service of providing customers with relevant information.

As a result, they missed the opportunity to inform customers about how to manage their emotions in a hot-state. By familiarising the customers to adverse behavioural patterns and biases, campaigns can become more effective in changing customer behaviour towards fraudulent actors and communications. For instance, campaigns could highlight typical, adverse customer responses to fraudsters and fraudulent communication and guide them on how they might behave instead. 

Lessons from other countries, like the UK, highlight the value of making customers aware of their behavioural biases. The UK’s “Take Five” initiative encourages people to “take five minutes” when faced with potential fraud situation. The idea is that fraudsters often create a sense of urgency. By taking five minutes to think things over, customers can reflect on the information given and their own reactions. This pause is believed to help customers step back from the immediate emotional response, allowing clearer thinking and reducing the risk of fraud. Similarly, the Federal Trade Commission in the USA suggests practical steps to help customers think clearly. This includes taking a moment to pause and even seeking advice before going through with a transaction.

However, to ensure comprehensive customer protection, it is crucial to complement effective awareness campaigns with robust structural safeguards. For instance, customers are often unaware regarding the available recourse mechanisms after experiencing fraud incidents. Additionally, filing complaints can be tedious, discouraging aggrieved customers from reporting frauds and eroding their confidence in the system. Resolving such customer concerns will allow us to harvest fully the dividends of a sophisticated payments system.

(The author is a research associate with Dvara Research. Views expressed are the author’s own and not necessarily those of financialexpress.com)